My application uses Azure AD to login and that part works fine.
Now I want to give users access to different parts of the application by there AD Groups.
How can I do that?
And is it possible to not log the user in if he/she is not a member of that group?
I did try a lot of different things, and I also got some AD information, but not the groups.
2
Answers
Because you received a token doesn’t mean you have access to all information associated to that user. The token only contains a basic set of information mostly to identify the user and their authorizations for the scope of the token.
What you should do is assign roles to the app registration and then assign your groups to the specific roles. The roles will appear in your token and you can then determine their permissions using those on your blazor app.
If you need information on the groups you could add permissions to your app registration for the Microsoft Graph API. You can then call the Graph API to get information about groups and similar features. For permissions you should stick to the roles and scopes though.
In addition to NotFound’s answer. Checking the role in Blazor is not difficult. Your should have an
AuthenticationState. In class, setup that parameterThen in
OnInitializedI call authenticationState which will give you your user and you can call `IsInRole(). I do this on my index page and then store it in session storage.I had to read this article five times before it sunk in. Its worth the effort: https://learn.microsoft.com/en-us/aspnet/core/blazor/security/?view=aspnetcore-7.0